This lesson is to show you how to create
your own Metasploit Module after conducting the proper Buffer Overflow
Analysis.

What is Damn Vulnerable Windows XP?

This is a Windows XP Virtual Machine that
provides a practice environment to conduct ethical penetration
testing, vulnerability assessment, exploitation and forensics
investigation.

The Microsoft Software License Terms for
the IE VMs are included in the release
notes.

By downloading and using this
software, you agree to these license
terms.

What is PCMan
FTP Server?

PCMan's FTP Server is a free software
mainly designed for beginners not familiar with how to set up a basic
FTP. Configuration is made very easy. Consequently, security was not
a major concern of this specific application version. Accordingly, the following
exploit (CVE-2013-4730)
exists.

I wanted to thank my very
talented Hac-King-Do student, Master
Mitchell(@bobmitch2311)
for assisting me in the creation of pcman_user.rb. Boston
College is very lucky to have a Computer Science Student of your caliber.

I wanted to thank my good friend Carlos Cajigas
(@carlos_cajigas)
for creating LosBuntu and for his generous guidance and mentorship in Cyber
Forensics

We will use fuzzing, pattern_create.rb, and
pattern_offset.rb to determine the offset for PCMan.

We will explain every line of the
Windows FTP PCMan Metasploit Module (pc-man_user.rb).

We will use pcman_user.rb to check and
exploit the PCMan application.

We will configure a Samba Share on our
Forensics Server (LosBuntu).

We will download WinPMEM to the Samba
Forensics Share.

We will use WinPMEM to Collect Memory
from the PCMan exploit and send the Captured Memory to the Samba
Share.

Legal Disclaimer

As a condition of your use of this Web
site, you warrant to computersecuritystudent.com that you will not use
this Web site for any purpose that is unlawful or
that is prohibited by these terms, conditions, and notices.

In accordance with UCC § 2-316, this
product is provided with "no warranties, either express or implied." The
information contained is provided "as-is", with "no guarantee of
merchantability."

In addition, this is a teaching website
that does not condone malicious behavior of
any kind.

You are on notice, that continuing
and/or using this lab outside your "own" test environment
is considered malicious and is against the law.

LosBuntu really needs 1.5 to 2 GB;
however, you are only configuring MimiKatz with Volatility in this
lesson.

Do NOT
Click the OK Button, we still have more to configure.

Configure CD/DVD(IDE)

Instructions:

Click on CD/DVD(IDE)

Device status: Check Connect at
power on

Connection: Click Use physical drive

Select Auto detect

Note(FYI):

Do NOT
Click the OK Button, we still have more to configure

Configure Network Adapter

Instructions:

Click on Network Adapter

Network Connection: Click Bridged
(Automatic)

Device status: Check Connect at
power on

Click the OK Button

Play LosBuntu Virtual Machine

Instructions:

Select LosBuntu

Click Play virtual machine

Section 5: Login to LosBuntu

Login to LosBuntu

Instructions:

Password: mtk

Press <Enter>

Open Terminal Windows

Instructions:

Click on the Terminal Window

Become root

Instructions:

sudo su -

password: mtk

pwd

Note(FYI):

Command #1, Use (sudo su -) to
simulate an initial root login where the /etc/profile, .profile and
.bashrc are executed. Not only will the root user's environment be
present, but also the root user will be placed in it's own home
directory (/root).

Command #2, Use (pwd) to display
the current working directory of the particular user.

Command #1, Use (ifconfig) to
view all (-a) IP Addresses associated with LosBuntu. You
should only have two interfaces: eth0 and lo.

eth0 - Is the primary interface.
In my case, the IP Address is
192.168.2.115.

lo - Is the local loopback
address. The loopback address is used to establish an IP
connection to the same machine or computer being used by the
end-user. The loopback construct gives a computer or device
capable of networking the capability to validate or establish
the IP stack on the machine.

If your host machine has Internet
Connectivity, but LosBuntu does not have an IP Address associated
with eth0, then issue the following command as root.

dhclient -v

Section 6: Configure Samba

Section Notes

Notes(FYI):

The goal of this section is to configure samba to allow the
victim machine to eventually dump its memory to the (/forensics/pcman)
Samba Share folder.

In addition, we will download WinPMEM and set the correct
ownerships and permission that will allow WinPMEM to execute on the
victim machine from the Samba Share.

Create Forensics Directory (On LosBuntu)

Instructions:

mkdir -p /forensics/pcman

chown -R mtk:mtk /forensics

chmod -R 770 /forensics

ls -ld /forensics/pcman

Note(FYI):

Arrow #1, Use (mkdir) to create
the (/forensics/pcman) directory, and use the (-p) to suppress
errors if the directory already exists.

Arrow #2, Use (chown) to change
the user and group ownerships to mtk for user and mtk for group for
the (/forensics) directory and all underlying directories and files.

Arrow #3, Use (chmod) to set the
read/write/execute permissions for both user and group for the
(/forensics) directory and all underlying directories and files.

Arrow #4, Use (ls) with the
flags (-ld) to list the (/forensics/pcman) directory listing.

Arrow #1,
Use
(telnet) to the IP (192.168.2.106)over
port (21) to establish a TCP connection.

Arrow #2,
Notice that you are also supplied the same banner that NMAP
supplies. Accordingly, this really old fashion technique is almost
normal traffic, the attacker is probably not as likely to set off as
many alarms. You should turn off all banners on
any service that you are running if the application provides that
flexible option.

The
previous
lesson (Section 11 to Section 15) provided you with a very primitive way to determine how many
characters it takes to crash PCMan. However, just causing PCMan is
not enough to determining the buffer offset.

After countless testing, it has been observed by various
students that the reported OFFSET is typically between
2001 to 2003. Therefore, it is necessary to determine
your EXACT OFFSET by using the Metasploit framework sister tools (pattern_create.rb and pattern_offset.rb).
These tools will allow you to
precisely determine which 4
bytes will overwrite the EIP.

Notes(Terms):

The offset is number of bytes necessary to occur
before the EIP would be overwritten.

The EIP register
contains the address of the next instruction to be executed.

Arrow
#1, Use (pattern_create.rb) to create a unique pattern of 2200
characters. Instead of sending all (A's) to crash PCMan, we
will send this unique string instead. The result value
contained in the EIP register can then be used with
pattern_offset.rb to determine the exact offset. Use (tee) to
display the output and place that output in a file call (pattern.txt).

Arrow
#2, Use (ls -l) to display the files general information
(privileges, ownerships, byte size, last update and name).

Open fuzzer3.pl

Instructions:

leafpad fuzzer3.pl

Note(FYI):

Arrow #1,
Use (leafpad) to open (fuzzer3.pl). Leafpad is a simple GTK+
based text editor. The user interface is similar to Windows(tm)
notepad

Arrow #3, [Line 20-27],
IF either $IPADDRESS -or- $PORT was not provided via the command
line, THEN exit the program.

Explain fuzzer3.pl (Does pattern.txt Exist)

Instructions:

Arrow #1 [Line 30-38],
IF the file (pattern.txt) that you created in (Section 11, Step 2)
does not exit, THEN exit the program.

Arrow #2, [Line 46],
Assign the ($header) variable to "USER". In order to provide a username to a FTP server (ie
PCMan), you must first specify the string (USER) followed by a <space>
and then the actual username.

E.g., (USER
JOHNDOE)

Arrow #3, [Line 52],
Use (cat) to assign the ($junk) variable to the entire string of characters located
in the file (pattern.txt). The ($junk) variable will actually
be the fake username that will follow the header string(USER).

E.g., $junk =
"Aa0Aa1Aa2Aa3Aa4..."

Arrow #4, [Line 56],
Assign the ($string) variable to contain the combination of the ($header)
variable
with the ($junk) variable appended.

Arrow #4, [Line
17], The Rank
specifies the reliability of the exploit.

Arrow #5, [Line
20],Include
the FTP Method.

Note(FYI):

Arrow #1, The require statement is similar to the include
statement of C and C++ and the import statement of Java. If a program
wants to use any defined module, it can simply load the module files
using the Ruby require statement.

Arrow #5, We use include to embed the Ftp Method in the
class, which is located in the following file for Metasploit v4.7.0.

Arrow #4, [Line
91],DefaultTarget,in
this case, sets the default return code that will be used. 0 refers
to the first element specified under Targets.

Explaining pcman_user.rb (Lines: 97 - 119)

Instructions:

Arrow #1 [Line 97-102],
register_options,
in this case, provides the user with an additional option. In this
usage, the default OFFSET is set to 2002. Accordingly, the
user is able to adjust this value to correspond to the OFFSET of
their environment.

Arrow #4 [Line 137],
handler, This is the payload handler that implements the staging and
connection between the attacker and victim.

Arrow #5, Click the
icon to
close leafpad

Section 14: PCMan -
It's Metasploit Time!!!

Section Notes

Notes(FYI):

In this section, we will use
pcman_user.rb to exploit PCMan.

Start PCMan FTP Server (On Damn Vulnerable WXP-SP2)

Instructions:

Right Click on PCMANFTPD2

Click on Open

PCMan is Online

Note(FYI):

Notice the FTP Server is
online.

I apologize for the
repetitive starting and stopping of the FTP Server.

Starting msfconsole (On Kali 1.0.5)

Instructions:

script pcman_user.txt

msfconsole

Note(FYI):

Arrow
#1, Use (script) to create a typescript, that will store all the
terminal output into the (pcman_user.txt) file.

Arrow
#2, Use (msfconsole) to access the Metasploit Framework Console.

Search for pcman

Instructions:

search pcman

Note(FYI):

Arrow #1, Use
(search) to find any modules that mentions the string (pcman).
Notice the module (exploit/windows/ftp/pcman_user) is now available
for your selection. This is the module that we added earlier
in (Section 8, Step 2).

Use the pcman_user module

Instructions:

use exploit/windows/ftp/pcman_user

Note(FYI):

Arrow #1, Use the
module (exploit/windows/ftp/pcman_user).

show options for pcman_user

Instructions:

show options

Notice that OFFSET
contains the default value of 2002

Notice the RHOST is not
set and is a required value.

Note(FYI):

Arrow #1, Use
(show options) to display (1) the module (pcman_user) options, (2)
the current setting, if required, and (3) their description.

Arrow #2, OFFSET
is a required option, which is pre-set to 2002 bytes.

Arrow #3, RHOST is
the IP Address of the victim machine, whose value is currently not
set.

Arrow
#2, Use (getuid) to display the user that the Meterpreter server
is running as on the host.

Arrow
#3, Use (getpid) to display the Process ID that the Meterpreter
server is running as on the host.

Display the Hashdump

Instructions:

hashdump

Note(FYI):

Arrow
#1, Use (hashdump) to display the contents of the SAM database
file. The Security Account Manager (SAM) is a database file in
Windows XP, Windows Vista and Windows 7 that stores users'
passwords.

Using MimiKatz

Instructions:

load mimikatz

wdigest

Note(FYI):

Arrow
#1, Use (load mimikatz) to load the Mimikatz module into memory.

Arrow
#2, Use the mimikatz metasploit module (wdigest) to display all
the passwords of users that are currently logged into the server

Using Shell

Instructions:

shell

cd ../../../

echo %USERNAME%

net users

Note(FYI):

Arrow
#1, Use (shell) to enter into a standard shell on the target
system.

Arrow
#2, We go back three directories (../../../) since the PCMan
directory is really long. This is really not necessary to do.

Arrow
#3, Use (%USERNAME%) to display the user that the Meterpreter
Shell Session is running as on the host.